Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptON Ransomware Support & Help Topic (<id-number>_x3m, _locked, _r9oj)


  • Please log in to reply
491 replies to this topic

#421 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:52 PM

Posted 18 November 2017 - 01:02 PM

There are "good" hackers on the side of law enforcement and various government/private agencies. However, if it were that easy to crack ransomware encryption, track down and arrest cyber-criminals, seize their servers, etc...the malware developers would move on to something else.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#422 rstockham23

rstockham23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 01 December 2017 - 09:03 AM

Our organization was hit hard recently with the Cry36 Ransomware.  I know there is no way to decrypt this at the moment, but I may have some files to help those out there that work on decryption tools.  After scouring event logs and files for hours, I came across some of the files they used to hack and left behind.  Hopefully these will be useful to someone.  Let me know if you need any more information.  I was able to recognize where they had logged in from a remote desktop connection, attempted to use this software, but antimalware software shut them down, then they connected to other machines on the network until they got it to work. Here's the link to the .zip file with the files:  https://drive.google.com/file/d/18CFi8U5KhY9UxrKMw-GOWPgz3BAVkuuf/view?usp=sharing



#423 rstockham23

rstockham23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 05 December 2017 - 10:03 AM

Has anyone successfully paid the ransom and received a working unlocker/key, etc for Cry36?  If so, would you be willing to share your unlock software and key for reverse engineering purposes?



#424 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 341 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:06:52 PM

Posted 05 December 2017 - 12:18 PM

Hello,

You should use another service than google drive as there is an error with google drive "Sorry, this file is infected by a virus, only the owner is allowed to download infected files.".

Kind regards, Emmanuel



#425 akdrsdy

akdrsdy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 10 December 2017 - 06:45 AM

Hi, I got an unlocker that payed. Our files encrypted as "id_xxx_[xxx@xxx.com].nemesis". As friends said, it's showing "error extention file". I want to solve this problem. But I don't know where to start. Can someone help me about starting point of reverse engineering?



#426 flatronic

flatronic

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 31 January 2018 - 03:45 AM

Hey guys,

 

We had bad luck with one of our customer .. lucky most of the files we could get from the backup. The bad thing, there was one external HDD on the server which got encrypted ...

 

So i tried Cry9 cry128 (which starts brute forcing but can not find any) and Cryon.

 

Files look like: .id_1234567890_[MerlinStusan@protonmail.com].nemesis

 

I also have an original and an encrypted file and the original ### DECRYPT MY FILES ### txt which indicated Nemesis decryptor.

 

Any suggestions? Should i somehow upload my files somewhere? Is the Post right in this Forum?

 

By the way the size on filesystem of both files is 264KB, its just that the nemesis file is 36 Bytes bigger.

 

Thanks for you support and any help

 

Regards

Flat



#427 akdrsdy

akdrsdy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 31 January 2018 - 03:50 AM

@flatronic can you send me a sample file? i can try with my unlocker.



#428 flatronic

flatronic

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 31 January 2018 - 03:56 AM

@flatronic can you send me a sample file? i can try with my unlocker.

 

Yes no problem. I send you an PN to organize it :-)



#429 flatronic

flatronic

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 02 February 2018 - 06:35 AM

Hey guys,

 

We had bad luck with one of our customer .. lucky most of the files we could get from the backup. The bad thing, there was one external HDD on the server which got encrypted ...

 

So i tried Cry9 cry128 (which starts brute forcing but can not find any) and Cryon.

 

Files look like: .id_1234567890_[MerlinStusan@protonmail.com].nemesis

 

I also have an original and an encrypted file and the original ### DECRYPT MY FILES ### txt which indicated Nemesis decryptor.

 

Any suggestions? Should i somehow upload my files somewhere? Is the Post right in this Forum?

 

By the way the size on filesystem of both files is 264KB, its just that the nemesis file is 36 Bytes bigger.

 

Thanks for you support and any help

 

Regards

Flat

 

Dear Mods, 

 

anything i can do or provide you with to analyse?

 

Thanks & regards



#430 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:52 PM

Posted 02 February 2018 - 07:44 AM

You're probably dealing with Cry36 which is not decryptable

Did you can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#431 flatronic

flatronic

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 06 February 2018 - 03:15 AM

Hey there,

 

Case: e8e7782214eda81f4ba58dd9e9e998c02353a432

 

I also have encrypted and decrypted example files of the same.



#432 audi911

audi911

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 26 March 2018 - 12:06 PM

Hi, I am facing an issue with decrypting my files

I started a thread here

https://www.bleepingcomputer.com/forums/t/674142/this-ransomware-is-decryptable-crypton/

I was advised to drag 2 files (one locked and one original) into the software.

I have found both some original files identical to locked ones and other non original files

Everytime I drag 2 files into the cryptON file decrypter I get the following error message

 

Invalid File Pair

The files you provided do not appear to be a valid cryptON file pair or are unfit for decryption purposes. Please provide files of size 128KB and larger. The encrypted file needs to be exactly 16 bytes bigger than the unencrypted version of the file.

 

 

Am I using the wrong software? What am I doing wrong?

These are files that are from a backup I took of the hard drive (they are on a USB stick at the moment)

They are all the original files. 

THanks!

 

PS when I input my files here https://id-ransomware.malwarehunterteam.com/ it tells me it is decryptable and to use Emisoft CryptON decrypter. 


Edited by audi911, 26 March 2018 - 12:11 PM.


#433 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:52 AM

Posted 26 March 2018 - 12:30 PM

@flatronic

 

ID Ransomware clearly identified your case as Cry36, which is not decryptable.

 

@audi911

 

Did you upload both a ransom note and encrypted file to ID Ransomware? Some of the actors of the original CryptON used the same email address with other strains of ransomware, which would give a false-positive if you are only providing the ransom note. If you were hit recently, I doubt it is CryptON, as that has not been distributed for nearly a year. You may share an encrypted file for manual inspection if you wish.

 

And in regards to your prior topic, yes, your logic was flawed, and your analogy does not apply. It is not a "ridiculous solution" to request an encrypted file and its original. The way we "break" most ransomware requires a plaintext attack, where we try to decrypt the encrypted file, and compare the result to see if the key was correct. If the key is correct, then it can be used to decrypt all other files. Thanks for attacking the methods used by those who are trying to help people and have been working with cryptography much longer.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#434 audi911

audi911

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 26 March 2018 - 01:56 PM

zu2ud2.jpgHi, so I could be wrong, but I'm only going by what my eyes see.

Correct me if I'm reading this incorrectly or if I'm part of a special variant of this kind of ransomware that is detected as decryptable but is not.

TY

https://ssl-proxy-updated.herokuapp.com/c92152fb8381ab66627c806a22264eb543e6ff0f/687474703a2f2f6936352e74696e797069632e636f6d2f7a75327564322e6a7067/


Edited by audi911, 26 March 2018 - 01:57 PM.


#435 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:52 AM

Posted 26 March 2018 - 02:08 PM

Hmm. Could you share the file pair (encrypted and original) you were trying with the decrypter with a third-party sharing service? Feel free to PM them if you believe it sensitive data. Since it was identified on ID Ransomware (even though this may still be a false-positive), it deletes your submissions.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users